| id: GO-2024-2611 |
| modules: |
| - module: google.golang.org/protobuf |
| versions: |
| - fixed: 1.33.0 |
| vulnerable_at: 1.32.0 |
| packages: |
| - package: google.golang.org/protobuf/encoding/protojson |
| symbols: |
| - UnmarshalOptions.unmarshal |
| derived_symbols: |
| - Unmarshal |
| - UnmarshalOptions.Unmarshal |
| - package: google.golang.org/protobuf/internal/encoding/json |
| symbols: |
| - Decoder.Read |
| derived_symbols: |
| - Decoder.Peek |
| summary: Infinite loop in JSON unmarshaling in google.golang.org/protobuf |
| description: |- |
| The protojson.Unmarshal function can enter an infinite loop when unmarshaling |
| certain forms of invalid JSON. This condition can occur when unmarshaling into a |
| message which contains a google.protobuf.Any value, or when the |
| UnmarshalOptions.DiscardUnknown option is set. |
| ghsas: |
| - GHSA-8r3f-844c-mc37 |
| references: |
| - fix: https://go.dev/cl/569356 |
| cve_metadata: |
| id: CVE-2024-24786 |
| cwe: 'CWE-1286: Improper Validation of Syntactic Correctness of Input' |
| references: |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU/ |
| - http://www.openwall.com/lists/oss-security/2024/03/08/4 |
| review_status: REVIEWED |
